How To Build an ROI for the GDPR

Last month, the Financial Times held a debate on the GDPR at their Cyber Security Summit in London. The proposition: "The EU's new data protection rules will impose an unnecessary burden on business". I've listened to it online a few times. If you care about data governance, you'll want to listen to it for yourself. It's quite thought provoking, but I think the panelists missed an important point.

As one speaker noted, all regulations by definition impose burdens. The key is whether the burden is necessary, and to determine that you need to weigh the burden against the value. The problem with the debate was the panelists lacked a shared understanding of the intended goal of the regulation, so each weighed the burden against different a value.

Those speaking in favor of the proposition (and therefore against the GDPR), argued that the goals of any European Commission regulation should be to improve the competitive landscape for European business, that this regulation is anti-competitive, and that while customers want their data protected, the natural forces of the market will favor those companies that give customers what they want, so in the end, no regulation is needed.

Those speaking against the proposition (and therefore in favor of the GDPR) argued that the value of the regulation was primarily in harmonizing the 28 separate sets of data protection regulations into one unified set of regulations, thereby lowering the costs of competition.